Confirmed users
169
edits
Security/Reviews/F1 (round 2): Difference between revisions
Jump to navigation
Jump to search
Security/Reviews/F1 (round 2) (view source)
Revision as of 18:04, 26 September 2011
, 26 September 2011→Introduce Feature (5-10 minutes)
(Created page with "== Items Reviewed == F1 :: retooled version of the link sharing service we looked at in May (https://wiki.mozilla.org/Security/Reviews/F1) * https://wiki.mozilla.org/Labs/F1 * h...") |
Mixedpuppy (talk | contribs) |
||
| Line 9: | Line 9: | ||
** this is partly old code that is being moved to activities | ** this is partly old code that is being moved to activities | ||
== Introduce Feature (5-10 minutes) == | == Introduce Feature (5-10 minutes) == | ||
* Initial release will be "Firefox Share (alpha) | |||
** F1 team is considering this as a labs alpha release | |||
* method for allowing users to share content on their social networks & later email | * method for allowing users to share content on their social networks & later email | ||
** | ** Twitter, Facebook and GMail will be in the initial release | ||
*** Twitter | *** Twitter uses oauth1, secret will be in the addon | ||
*** Facebook uses oauth2, requires no secret | |||
*** GMail uses oauth1, but we're using the "anonymous" secret | |||
**** UX is not great with the anonymous secret | |||
*** GMail uses smtp with xauth (oauth token in place of password) | |||
**** smtp is provided in chrome code, an injected api provides access | |||
* F1 is now a mediator for the "share" activity | * F1 is now a mediator for the "share" activity | ||
** installs specialized webapps for facebook and | ** installs specialized webapps for facebook, twitter and gmail to bootstrap sharing | ||
Differs from OWA (Open Web Applicaiton) because: | Differs from OWA (Open Web Applicaiton) because: | ||
* mediator for F1 is more elaborate than default for OWA | * mediator for F1 is more elaborate than default for OWA | ||
| Line 19: | Line 26: | ||
** pops up a login dialog | ** pops up a login dialog | ||
* we would prefer to not use OAuth where possible (depends on service providers) | * we would prefer to not use OAuth where possible (depends on service providers) | ||
** it is not possible at this time to get away from oauth, it is still a goal over time | |||
** Yes, just "native" OWA if possible. | ** Yes, just "native" OWA if possible. | ||
=== Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) === | === Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) === | ||
* Attempting to make the sharing of web data easier for users | * Attempting to make the sharing of web data easier for users | ||
** remove the NASCAR effect of sharing buttons on an item | ** remove the NASCAR effect of sharing buttons on an item (longer term goal) | ||
=== What solutions/approaches were considered other than the proposed solution? === | === What solutions/approaches were considered other than the proposed solution? === | ||
* Client-Server arch of previous has been abandoned for a browser only solution using OWA | * Client-Server arch of previous has been abandoned for a browser only solution using OWA | ||
* possibly build F1 into OWA directly to avoid cross application issues | * possibly build F1 into OWA directly to avoid cross application issues | ||
** F1 currently includes OWA and oauthorizer addons, both jetpack based | |||
=== Why was this solution chosen? === | === Why was this solution chosen? === | ||
* better privacy protection for users | * better privacy protection for users | ||
* does not put Mozilla in a postition to hold possibly private data / auth secrets for the user | * does not put Mozilla in a postition to hold possibly private data / auth secrets for the user | ||
** this data is currently stored in localstorage of each app (for alpha release) | |||
** data to be stored chrome-side in future releases | |||
=== Any security threats already considered in the design and why? === | === Any security threats already considered in the design and why? === | ||
* ^^ see previous discussion & OWA items | * ^^ see previous discussion & OWA items | ||
== Threat Brainstorming (30-40 minutes) == | == Threat Brainstorming (30-40 minutes) == | ||
* Screenshot image leakage (potentially sensitive data shows up in screenshots that are shared) | * Screenshot image leakage (potentially sensitive data shows up in screenshots that are shared) | ||